The cyber insurance dilemma: prevention vs protection

How professional services firms can address their exposure to a business-critical event

IP image

Professional services firms are becoming increasingly reliant on technology, to perform both internal and external functions, whether essential or non-essential. But with cyberattacks a growing fact of life, it is now a question of ‘not if, but when’ firms suffer a business-critical event. Addressing this exposure is a challenge that all professional services firms must meet – this was the challenge we set PureCyber and Lockton: where is the balance between prevention vs protection?

Accountancy firms represent a particularly attractive target for cybercriminals, due in large part to the sheer volume of confidential and sensitive client information which such practices typically hold. Clients’ financial details, tax returns, identification numbers, asset investments, corporate strategies, and intellectual property all constitute desirable information, and may relate to private individuals and businesses alike.

So can prevention rather than cure be enough for your business? In short, no! It’s vital that firms take effective steps to prevent their occurrence, but also in order to gain cover practitioners are being asked to demonstrate preventative measures to ensure that appropriate attention and investment have been given to cybersecurity.

These fall into three categories:

  1. Preventative controls – improving weaknesses in information systems to prevent the business from experiencing a cyberattack in the first place
  2. Detective controls – alert businesses to attempts to infiltrate their networks and warn them when a cyberattack occurs
  3. Corrective controls – used after a cyber incident to minimise the impact and help to restore functionality as quickly as possible, for example with back-ups.

Cyber insurance – a worthwhile investment

For all firms, establishing financial and operational resilience is essential. An option to mitigate the risks that cyberattacks present is to take out comprehensive cyber insurance. Doing so is not without cost. In the continuation of a trend more than a year in the making, premiums and self-insured retentions have ticked up, while limits continue to reduce. This is in line with a growing number of claims within the sector, and a rising average cost. As a result, many firms have deemed cyber protection too expensive relative to other forms of cover, such as professional indemnity insurance (PII).

But with cyberattacks occurring with increasing frequency, firms who choose to forego cyber protection must beware the significant gaps in their exposure. Contrary to popular belief, it remains the case that many traditional policies may not respond to a cyber incident. Where a policy does respond, it may only respond to third-party liabilities, and not first-party costs. To minimise premiums, firms should instead focus on scrutinising their own exposures, with a view to providing underwriters with greater assurances around their cybersecurity controls.